SEC Fines Morgan Stanley $1 Million for Failing to Secure Client Data

June 2016

Morgan Stanley Smith Barney agreed to pay the SEC $1 million to resolve charges that it failed to take adequate measures to secure its customer data in violation of the SEC’s Safeguards Rule. Through this and similar cases, the SEC has sent a clear signal of its priority to force registered investment advisors and broker-dealers to secure customer data through adequate systems designed to prevent unauthorized access. Indeed, Andrew Ceresney, Director of the SEC Enforcement Division, explained that “data security is a critically important aspect of investor protection” and that the SEC expects registrants “of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

The SEC’s Safeguards Rule (Rule 30(a) of Regulation S-P) requires registered investment advisors and broker-dealers to adopt written policies and procedures “reasonably designed to protect customer records and information.” Morgan Stanley, which settled without admitting or denying liability, faced scrutiny for allegedly failing to establish adequate cybersecurity safeguards before a three-year series of breaches committed by a now former employee.

The SEC focused on Morgan Stanley’s alleged failure to monitor and effectively restrict employee access to customer data through two internal web “portals” during a span of over ten years. Although Morgan Stanley restricted access to these portals through a system of authorization modules, the restrictions proved ineffective as the employee was able to access and misappropriate data for approximately 730,000 accounts associated with roughly 330,000 households. This data was subsequently hacked from the employee’s personal server and offered for sale online.

The SEC also alleged that Morgan Stanley failed to have procedures in place to detect and discover inappropriate access to customer data. The SEC contended that an internal audit likely would have uncovered the deficiencies in Morgan Stanley’s authorization modules. Morgan Stanley, however, had not conducted such an audit in over ten years. Finally, the SEC contended that Morgan Stanley failed to monitor or analyze its employees’ access to, and use of the internal web portals.

Given the SEC’s priority focus on cybersecurity and compliance with the Safeguards Rule, registrants should view Morgan Stanley’s $1 million fine as a clear sign that the SEC expects full compliance with the Safeguards Rule. To that end, registrants should:

(1) maintain robust internal controls to ensure that customer data can be accessed only by select individuals;
(2) conduct tests to ensure that unscrupulous employees cannot exploit programming flaws and gain unauthorized access;
(3) have systems in place whereby employee access to customer data can be tracked or monitored; and
(4) consider obtaining and/or reviewing their cybersecurity insurance policies to protect themselves in the event of regulatory fines and penalties.

In effect, best practices should constitute a two-tiered system where on one level, employee access to customer data is appropriately restricted and, on a second level, controls are implemented to ensure that the restrictions are working and employees are not gaining impermissible access to client information. A failure to do so may be judged “unreasonable” and create liability under the Safeguards Rule.

© 2016 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.